The operator of a nuclear power plant (NPP) has to demonstrate that for any credible accident the plant safety systems provide sufficient protection for its workers and for the public. The NPP safety demonstration in principle follows similar rules worldwide, while details may differ for each plant design. The deterministic safety analyses usually take a conservative approach to ensure that the calculated scenarios envelope most expected plant responses with sufficient safety margins to deal with uncertainties. One of the main questions that has to be answered when the method for the safety demonstration is laid out is “how conservative is conservative enough”. The present paper contributes to the answer for this question regarding the boundary conditions to be chosen for Instrumentation and Control (I&C) systems, particularly considering distinct approaches for an unique design. The reference NPP for the analysis is Atucha 2, a Siemens-KWU designed pressurized heavy water reactor with a three-tier I&C system (control, limitation and protection system), as it is typical for German designed reactors. The control system, in contrary to the protection system, is not safety grade. It is important to emphasize for these plant designs a third tier of controls, the limitation system, has been introduced. The limitation system is highly reliable, but does not qualify fully as safety system. Also modern plant designs (as the EPR) adopt such an approach. A reference case has been selected among the typical Safety Analysis Report set of initiating events for accident analysis (the scenario of an inadvertent closure of a main steam isolation valve) has been analysed three times, each of them with a different approach to select the boundary conditions for the I&C systems. At first it has been assumed that all I&C systems respond as intended (best estimate case). The second case follows a systematic approach to postulate failures in I&C systems (but assumes that the control systems are working). The third case follows international common practice (control systems are disregarded, unless one specific control system makes the response of the event more severe). The boundary conditions as assumed in the last case can also be found in US EPR final safety analysis report. Unexpected outcomes from the analyses showed that the second case has the largest amount of conservatism (the lowest DNBR margin of all cases). The explanation for that brought emphasis to the compatibility of the method for selecting boundary conditions for I&C and the specific plant design under consideration. The present analysis shows that not always seemingly conservative decisions on the boundary conditions lead to conservative results.
On Boundary Conditions for Instrumentation and Control Systems in Safety
D'AURIA, FRANCESCO SAVERIO;
2012-01-01
Abstract
The operator of a nuclear power plant (NPP) has to demonstrate that for any credible accident the plant safety systems provide sufficient protection for its workers and for the public. The NPP safety demonstration in principle follows similar rules worldwide, while details may differ for each plant design. The deterministic safety analyses usually take a conservative approach to ensure that the calculated scenarios envelope most expected plant responses with sufficient safety margins to deal with uncertainties. One of the main questions that has to be answered when the method for the safety demonstration is laid out is “how conservative is conservative enough”. The present paper contributes to the answer for this question regarding the boundary conditions to be chosen for Instrumentation and Control (I&C) systems, particularly considering distinct approaches for an unique design. The reference NPP for the analysis is Atucha 2, a Siemens-KWU designed pressurized heavy water reactor with a three-tier I&C system (control, limitation and protection system), as it is typical for German designed reactors. The control system, in contrary to the protection system, is not safety grade. It is important to emphasize for these plant designs a third tier of controls, the limitation system, has been introduced. The limitation system is highly reliable, but does not qualify fully as safety system. Also modern plant designs (as the EPR) adopt such an approach. A reference case has been selected among the typical Safety Analysis Report set of initiating events for accident analysis (the scenario of an inadvertent closure of a main steam isolation valve) has been analysed three times, each of them with a different approach to select the boundary conditions for the I&C systems. At first it has been assumed that all I&C systems respond as intended (best estimate case). The second case follows a systematic approach to postulate failures in I&C systems (but assumes that the control systems are working). The third case follows international common practice (control systems are disregarded, unless one specific control system makes the response of the event more severe). The boundary conditions as assumed in the last case can also be found in US EPR final safety analysis report. Unexpected outcomes from the analyses showed that the second case has the largest amount of conservatism (the lowest DNBR margin of all cases). The explanation for that brought emphasis to the compatibility of the method for selecting boundary conditions for I&C and the specific plant design under consideration. The present analysis shows that not always seemingly conservative decisions on the boundary conditions lead to conservative results.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
